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[57] ABSTRACT 

A system is disclosed for selectively altering the func- 
tional characteristics of a data processuig system with- 
out physical or mechanical manipulation by providing 
an access code from a remote personal identification 
number generator to a secure controller and store of the 
computer system. This enables remote authorization of 
change in function of the computer system, such as 
performance tune up, speeding clock time, changing 
function and like changes. The computer system is first 
manufactured having a predetermined set of functional 
characteristics. A multibit alterable code which in- 
cludes a functional characteristic definition is then ini- 
tially loaded into physically secure, nonvolatile mem- 
ory within the data processing system, utilizing an exist- 
ing bus, or a fusible link which may be opened after 
loading is complete. The functional characteristic defi- 
nition is loaded from nonvolitile memory into a non- 
scannable register within a secure portion of a control 
logic circuit each time power is applied to the data 
processing system and the definition is then utilized to 
enable only selected functional characteristics. Alter- 
nate functional characteristics may thereafter be selec- 
tively enabled by entering a security code which 
matches one of a number of preloaded codes and an 
encoded alternate functional characteristic definition. 
The alternate functional characteristic definition may 
be enabled on a one-time, metered, or regularly sched- 
uled basis and variable capability data processing sys- 
tems may be implemented in this manner utilizing a 
single manufactured system, without the necessity of 
manufacturing and storing multiple data processing 
system models. 

12 Claims, 12 Drawing Sheets 
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for protecting sensitive data, such as private security 

SELF MODIFYING ACCESS CODE FOR codes. 

ALTERING CAPABILrTIES Each of the methods described above permits the 

storage and utilization of sensitive or private data; how- 

CROSS REFERENCE TO RELATED 5 ever, none of these pubUcations teaches a technique 

APPLICATIONS whereby the functional characteristics of a data pro- 

Thc present application related to and a continuation- cessing system may be selectively altered. Systems do 

in-part of co-pending patent application U.S. Ser. No. exist for enabling or disabling electronic equipment 

029,856, filed Mar. 11, 1993 entitled "Method and sys- utilizing "keys" or other similar devices. Primarily such 

tern for selectively altering data processing system func- systems are directed to enabling or disabling reception 

tional characteristics without mechanical manipula- of television or CATV signals within a television re- 

tion". ceiver. For example, see U.S. Pat. Nos. 4,577,224 and 

This co-pending application and the present apphca- 4,471,379. 

tion are owned by one and the same assignee, Interna- In summary, many systems exist which permit se- 

tional Business Machines Corporation of Armonk, New lected users to access and manipulate particular files 

York. within a data processing system or which enable or 

FIELD OF THE INVENTION disable a selected electronic system; however, no 

known systems exist which permit the functional char- 

This invention is related to computers and computer acteristics of a data processing system to be selectively 

systems and particularly to computer functions con- ^0 modified without the necessity of physical or mechani- 

trolled from a remote location. cal manipulation. 

The description set forth in this co-pending applica- 
tion is hereby incorporated into the present application SUMMARY OF THE INVENTION 
by this reference. Our invention deals with the use of secure access 
GLOSSARY OF TERMS generation that permits repetitive modification of 
, . ^ ^ machine function and permits a range of numbers that 

While dicuonary meanmgs are also miphed by certam ^ ^^^^^^ j^^ead of one unique nmnber. We have 

tenns used here, the followmg glossary of some terms ^^^^^^ ^ of modification of a computer function 

Sto * ^^^ ^ r * 1.- 1 -.t. in an unhmited number of times with each such modifica- 

?m AcSf SS^^ ?f3;*code accompanied by a unique access code PIN. Such a 

FIN ACCt^b UUUK usea as a security coae. mechanism permits, as an example, a computer leasing 

BACKGROUND OF THE INVENTION operation to schedule and modify the performance of 

As background for our invention, there have been for ^^T''^'^ at various intervals or to permit access to 

many yearf password generators for a PIN. PINs have 35 ^^her function for various penods of tmies as 

been used to gain access to automated tellers and secu- needed by their customers^ , ^ , u 

rity areas when unattended operation and/or verifica- ^ ^ °f ^'^'^ ^^^f"^ T selectively alter the 

tion of authorization is desired. They have been used for functional charactensUcs of a data processmg system 

granting access to computers, as illustrated by U.S. Pat. 71*^°"* physical or mechamcal mampulation, our pre- 

No. 4,799,258 to Davies et al granted Jan. 17, 1989. 40 ^erred computer system is manufactured havmg a pre- 

PINS may be generated automatically, and may be determmed set of functional characteristics. A multibit 

generated by random number generators or pseudo-ran- alterable code which includes a functional characteris- 

dom number sequences stored in the memory of a com- definition is then initially loaded into physically 

puter. U.S Pat. No. 4,800,590 to James C. Vaughan secure, nonvolatile memory within the data processing 

illustrates a password generating device for generating 45 system, utilizmg an existing bus, or a fusible link which 

passwords, and a computer access system based upon ^ay be opened after loading is complete. The functional 

the generated secure number based on time such that characteristic definition is loaded from nonvolatile 

the algorithm is valid only over a 3 minute window. memory into a nonscaimable register within a secure 

However, the lock or unlock of a computer system e.g. podion of a control logic circuit each time power is 

the host computer of Vaughan does not satisfy needs 50 applied to the data processing system and the definition 

which are now possible to achieve. It is dissimiiar simi- is then utilized to enable only selected functional char- 
lar in that it doesn't deal with repetitive modification of acteristics. Alternate functional characteristics may 

machine function and permits a range of numbers that thereafter be selectively enabled by entering a security 

can be matches instead of one unique number. code which matches one of a number of preloaded 

Many methods exist for granting or revoking a user's 55 codes and an encoded alternate functional characteristic 

access to selected facilities or files within a data process- definition. The alternate functional characteristic defuii- 

ing system. These techniques often utilize a secret "key" tion may be enabled on a one-time, metered, or regu- 

or "password" entered by a user and recognized within larly scheduled basis and variable capability data pro- 

the data processing system as an indication of the user*s cessing systems may be implemented in this manner 

ability to read, write, delete, copy or append a selected 60 utilizing a single manufactured system, without the 

record. One example of such a system is disclosed in necessity of manufacturing and storing multiple data 

U.S. Pat No. 4,799,258, Further, several known tech- processing system models. 

niques exist for storing such **keys,'* "passwords" or The improvements which we have made achieve the 
other secure data within secure storage devices within a security of ownership of the control of functions within 

data processing system. For example, U.S. Pat. No. 65 a computer system and an inexpensive technique for 
4,949,927 discloses a method for providing a security unlimited alterations to the functional capability of the 

module for physically protecting such sensitive data. computer system. These improvements are accom- 

Similarly, U.S. Pat. No. 4,759,062 discloses a method phshed by providing a secure function transmitter 301 
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controlling 309 a remote computer system 302. The example, the operation of the invention. As an example, 
secure control generator 303 creates a unique access assume that a computer system is rented to a customer 
number PIN accompanymg a control message sent to by a supplier. The computer system has the capability of 
the computer system. While security for the control executing a million instructions in one minute but the 
generator is accomplished by ordinary techniques, secu- 5 customer wishes to pay for less performance, say five 
rity for the secure control 307 within the computer hundred instructions per minute. The supplier will en- 
system is provided by providing a secure nonvolatile code a PIN number that vAW match the PIN number 
store within the data processing system with a multibit that is expected by the computer system and sends a 
alterable code stored therein. The secure control 307 message to the computer system that it is to run at one 
compares the PIN and enables the function 308 if per- 10 iialf speed. The computer system upon receiving the 
mitted by the PIN. PIN sets the new speed into the machine. Later in the 

These and other improvements are set forth in the month, an unexpected situation arises and the customer 
following detailed description. For a better understand- needs full performance for two days. The customer 
ing of the invention with advantages and features, refer orders the two days of performance at one million in- 
to the description and to the drawings. 15 structions in one minute. The supplier transmits the new 

BRIEF DESCRIPTION OF THE DRAWINGS number and the message to run at full speed. Two 

days later, the suppHer transmits a new PIN and re- 

FIG. 1 is ahigh level block diagram of a data process- ^^^^^^ half speed. Security for the transactions is 
ing system which may be utilized to implement the guaranteed by the one time use ofthe PIN to change the 
method and system of the present invention; 20 pgrfonnance. The security of the PIN number genera- 

FIG. 2 is a high level schematic representation of one jg ^^e fact that the data algorithm is con- 

multichip module from the cen^d electromc complex within the secure area of the computer and the 

of the data processmg system of FIG. 1; ^^^^^ supplier. 

FIG. 3 is a high level schematic representation of the 
control and security logic circuitry which may be uti- 25 The Preferred Embodiment 

lized within the multichip module of FIG 2 to imple- ^ invention in greater detail, it will 

ment the method and system of the present mvention; ^^^^ ^^^^ j fliustrates generally a secure func- 

FIG. 4 IS a more detailed schem^represenUtion of transmitter 301 controllini via a data link 309 a 

the contro and bgic circuitry of FIG. 3; remote computer system 302. The secure control gener- 

FIG. 5 IS a hieh level logic flowchart depictmg a 30 , -n- ' • . ^txt 

rivj. ^ a i i 5i Jl^^^Sr.» ator 303 creates a umquc access number PIN accompa- 

ayaiciu wjuvii u^aj k While sccunty for the control generator is accom-; 

^il^'^Tlsi^^^^^ chad Which illus- pushed by ordina^^^^^ the secure 

trates the enablement of sdeftedfmictionalch^^^ 35 contro 307 withm the computer system ^^^^^^ 
tics within a data processing system in response to the P^ovidmg a secure nonvola Ue store withm the data 
application of elecLal power! in accordance with the processirjg system with a multtbit alterable^code scored 

method and system of the present invention; and '^^^^J^T^T T''?^ ^°^^7^'?i,^tT 

FIGS, la and lb together form a high level logic ^^^les the function 308 if permitted by the PIN. 
flowchad which depicts the process of selectively alter- 40 For an overview of the computer system the data 
ing the functional characteristics of a data processmg processmg system which can be selective y altered for 
system in accordance with the method and system of Actional charactenstics witibout physic^ or mecham- 
the present invention. f ^ manipulation, refer to FIG. 1. HG. 1 depicts a high 

FIG. 8 shows schematically an overview of the pre- level block diagram of a data processmg system which 
ferred embodiment of our invention. 45 may be utilized to implement the method and system of 

FIG. 9 shows a more detailed view of our secure the present invention. As iUustrated. the data processmg 
function transmitter. system includes a computer 302 having a data Imk 309 

FIG. 10 shows the secure function controDcr 18 and an operator console 12 coupled in a manner well 
within a computer system. l^o^ art. Many of the high level components 

FIG. 11 shows our access code PIN generator. 50 within computer 302 are depicted within HG. 1, in- 

FIG. 12 shows a access generation/update flow dia- eluding main store 14, which serves as the main elec- 
gram depicting the logical steps used in creating the tronic storage within computer 302, and a central dec- 
new access code used for each functional update. tronics complex 16 is also depicted. As will be explained 

Note: For convenience of illustration, FIGURES in greater detail herein, central electronics complex 16 
may be separated in pads and as a convention we place 55 may include multiple multichip modules which serve to 
the top of the FIGURE as the first sheet, with subse- perform the various functions of the central electronic 
quent sheets proceeding down and across when view- complex, or alternately, central electronics complex 16 
ing the FIGURE, in the event that multiple sheets are may be provided with a single high density circuit and 
yiscd. including integrated circuit devices equivalent to sev- 

Our detailed description explains the preferred em- 60 eral million transistors, 
bodiments of our invention, together with advantages A service processor 18 is provided and is preferably 
and features, by way of example with reference to the coupled between operator console 12 and central elec- 
following drawings. tronics complex 16 to provide access to the functions 

r\T? TTTT? circuitry therein.. A power supply 20 and input- 

DETAILED DESCRIPTION OF THE ^5 /output channels 22 are also typically provided in such 

INVENTION ^ computer system, as those skilled in the art will appre- 

Before considering our preferred embodiments in ciate. Input/output channels 22 are preferably utilized 
detail, it may be worthwhile to illustrate, by way of to access various direct access storage devices (DASD), 
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such as diskette or tape storage devices, or printers, Referring now to FIG. 4, there is depicted a more 
terminals or similar devices. detailed schematic representation of the control and 
Still referring to FIG. 1, the high level segments of logic circuitry of FIG. 3. As illustrated, control and 
central electronics complex 16 are illustrated. In a mod- security logic chip 50 includes both an unsecure portion 
em mainframe computer such as the International Busi- 5 and a secure portion. Within the secure portion of con- 
ncss Machines Corporation System/390 the central trol and security logic chip 50 control logic 68 are pro- 
electronics complex typically includes four or more vided. Control logic 68 is preferably coupled to both 
multichip modules which serve to address various fiinc- EEFROM 52 and EEPROM 54 which contain, in a 
tions within a central electronics complex. As illus- manner which will be explamed in greater detail herem, 
trated within FIG. 1, central electronics complex 16 10 various mxiltibit alterable codes which may be utilized 
includes an SC module 24 which preferably serves to to selectively alter the functional characteristics of corn- 
buffer and control the flow of data between main store puter 302. In the depicted embodiment of the present 
14, input/output module 26 and the various processors invention, multiple copies of this multibit alterable code 
within computer 302. Input/output module 26 prefera- are provided within multiple nonvolatile storage de- 
bly serves to control and buffer data between input/out- 15 vices in order to minimize the possibility of disruption 
put channek 22 and main store 14 in a manner well due to failure. As illustrated, EEPROM 52 includes two 
known in the art. Similarly, B module 28 is provided to identical copies of the multibit alterable code, which 
buffer and control instructions and data for the proces- may be utilized to selectively control the functional 
sor and CP module 30 serves to execute instructions characteristics of computer 302. Similarly, two addition 
within computer 302. As those skilled in the art will 20 I identical copies of this code are contained within EE- 
appreciate, each of these multichip modules 24, 26, 28 PROM 54. 

and 30 constitutes a highly complex electronic module In the depicted embodunent of the present invention, 
which may include more than one hundred integrated each multibit alterable code includes various fields of 
circuit devices, each equivalent to thousands or miUions data. For example, a model number field may be pro- 
of transistors. 25 vided and utilized to store an identification of the model 

With reference now to FIG. 2, there is depicted a number of computer 302. Additionally, in the illustrated 
high level schematic representation of one multichip embodiment of the present invention, multiple unique 
module from central electronics complex 16 of FIG. 1. identification codes are also provided. In one implemen- 
As illustrated, B module 28 is illustrated along with tation of the present invention, six different fifly-six bit 
several of its high level components. For example, a 30 identification codes are provided within each copy of 
large portion of B module 28 is depicted generally at the muldbit alterable code contained within EEPROM 
reference numeral 40, which represents the various 52 and EEPROM 54, These unique identification codes 
control functions implemented within this multichip will be utilized in a manner which will be explained in 
module. A buffer 42 is preferably provided to buffer greater detail below. Additionally, selected "personal- 
instructions and data from CP module 30 and a direc- 35 ity" data is also present within each copy of the multibit 
tory 46 and cache 48 are also typically provided to alterable code within EEPROM 52 and EEPROM 54, 
buffer and control data between B module 28 and SC which may be utilized to specify the selected functional 
module 24. characteristics of computer 302. 

Additionally, as those skilled in this art will appreci- As those skilled in the ad will appreciate, mainframe 
ate, a translation lookaside buffer (TLB) 44 is also pro- 40 computers such as the International Business Machines 

vided and is utilized, in a manner well known in the art, Corporation Systena/390 may include multiple levels of 

to translate virtual memory addresses into real memory functional capability which may be provided by vary- 

addresses within main store or other locations within ing the range of memory that may be accessed within a 

computer 302. Thus, it should be apparent that the func- particular computer system, the number or percentage 
tional characteristics of computer 302 may be altered 45 of processors which are enabled within a particular 

and controlled by varying the capabilities and circuitry computer, the amount of usable cache memory within a 

of B module 28; however, the complexity required to particular computer and the processor speed and/or 

manufacture and maintain multiple varieties of B mod- capability provided within a particular computer. Thus, 

ule 28 would be greatly diminished if the functional by providing computer 302 with the capability of all of 
characteristics associated with this multichip module 50 these functional characteristics during the manufacture 

might be electronically manipulated. ing process a selected subset or variations of those func- 

With reference now to FIG. 3 there is depicted a high tional characteristics may be enabled utilizmg the 

level schematic representation of a portion of the con- method and system of the present invention, 

trol and security logic circuitry which may be utilized In a manner which will be illustrated below, the ini- 
within B module 28 of FIG, 2. As illustrated, control 55 tial loading of the multiple copies of the multibit alter- 

circuitry 40 may be constructed including a control and able code within EEPROM 52 and EEPROM 54 may 

security logic chip 50 which is coupled to multiple be accomplished utilizing several different techniques, 

nonvolatile memory storage devices, such as EEPROM For example, an external I/O pod 72 is provided and 

52 and EEPROM 54. In the depicted embodiment of may be utilized to directiy load multiple copies of the 
the present invention control and security logic chip 50 60 multibit alterable code into EEPROM 52 and EE- 

preferably includes both an unsecure and a secure por- PROM 54 during the manufacturing process. Thereaf- 

tion. In a manner which will be described in greater ter, a fusible link, such as fusible link 74, may be opened, 

detail herein, a personality register may be established prohibiting the loading of altered multibit codes utiliz- 

withm the secure portion of control and security logic ing the external I/O pod 72. Alternately, the initial 
chip 50 and utilized to store data which has been re- 65 loading of the multibit alterable code or variations 

trieved from EEPROM 52 and/or EEPROM 54 to thereto may be accomplished utilizing the service pro- 

selectively alter the functional characteristics of com- cesser, via bus 80, through the unsecure portion of 

puter 302. control and security logic chip SO. As will be explained 
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in greater detail herein, this may be accomplished by tional characteristics and thereafter the control and 
requiring a user to enter codes matching two of the six security logic circuitry described herein may be utilized 
unique identification codes contained within each copy to selectively enable a subset of those functional charac- 
of the multibit alterable code and thereafter setting a teristics for a particular application, 
manufacturing mode (MM) bit 78 within control logic 5 With reference now to FIG. 5, there is depicted a 
68. When this bit is set, control logic 68 will permit high level logic flowchart which illustrates a manufac- 
alterations to the multibit alterable code within EE- turing process for creating a data processing system 
PROM 52 and EEPROM 54 to be accomplished. which may be utilized to implement the method and 

As set forth above, external I/O pod 72, in conjunc- system of the present invention. As illustrated, this pro- 
tion with fusible link 74, may be utilized to permit ac- 10 cess begins at block 100 and thereafter passes to block 
cess to secure logic for manufacturing tests, as well as 102. Block 102 illustrates the preinitiadization of the 
initialization of **blank" EEPROMs mounted within a EEPROMs and the setting of the manufacturing mode 
multichip module. The provision of external I/O pod 72 (MM) bit to "1'* within control logic 68 (see FIG. 4). Of 
and fusible link 74 is typically required due to the fact course, as described above, the setting of the manufac- 
that EEPROMs which are initialized prior to mounting 15 turing mode (MM) bit to "1" within control logic 68 
within a multichip module often loose their initial val- will not be necessary if the EEPROMs arc initialized 
ues during the manufacturing process. Additionally, utilizing external I/O port 72 and fusible link 74, as 
exhaustive testing of the secure logic is typically re- described above. Thereafter, the process passes to block 
quired in order to assure proper operation of the data 104. Block 104 illustrates the moimting of the control 
processing system. Thus, there are, in accordance with 20 chips and EEPROMs within a multichip module. While 
thedepictedembodiment of the present invention, three the illustrated embodiment depicted herein shows the 
methods for initializing the EEPROMs. Firstly, exter- mounting of the control and security logic chip within 
nal I/O port 72 and fusible link 74 may be utilized in a B module 28, those skilled in the ad will appreciate that 
system to initialize the nonvolatile storage by means of this method and system may be utilized within any 
a service processor. Secondly, external I/O pod 72 and 25 multichip module within the central electronics corn- 
fusible link 74 may be utilized in a test bed via scan or plex, or directly within the central electronics complex 
via EEPROM redriven logic through the logic cirr in systems wldch do not utilize multichip modules, 
cuitry, and third, the EEPROMs may be initialized by Next, the process passes to block 106. Block 106 illus- 
presetting the manufacturing mode (MM) bit 78 during trates the testing of the mounted chips. Thereafter, as 
the manufacturing process, 30 depicted within block 108, if the mounted chips do not 

Having loaded multiple copies of a multibit alterable satisfactorily test, the process passes to block 110 which 
code within EEPROM 52 and EEPROM 54 within illustrates the replacing of the defective chips and the 
computer 302, control logic 68 then obtains the so- process then returns, in an iterative fashion, to block 
called "personality" data from one copy of the multibit 106. 

alterable code and loads that information into a non- 35 In the event the mounted control chips and EE- 
scannable personality register 70 within the secure por- PROMs test satisfactorily, the process passes from 
tion of control and security logic chip 50. Personality block 108 to block 112. Block 112 illustrates the encap- 
register 70 is preferably utilized to maintain the current sulation of the multichip module containing the control 
personality data stored within the multibit alterable chips and EEPROMs. Those skilled in the art will ap- 
code in a manner such that other modules or chips 40 predate that this encapsulation process may be accom- 
within computer 302 may access that information and plished utilizing any well known encapsidation tech- 
determine whether or not selected functional character- nique which provides physical security for the inte- 
istics within computer 302 are enabled and presently grated circuits mounted within such a module. Thereaf- 
being utilized. ter, the process passes to block 114. Block 114 illustrates 

The schematic representation within FIG. 4 is a rcla- 45 the performing of so-called "bum-in" and the testing of 
tively high level representation and those skilled in the the module. Next, the process passes to block 116 which 
art will appreciate that additional control logic circuitry illustrates a determination of whether or not the test 
may also be utilized. For example, a status register is was satisfactorily completed. If not, the process passes 
preferably provided which is utUized to store the num- to block 118 which illustrates the uncapping of the 
ber of access attempts which have occ\irred since a 50 multichip module and the process then returns itera- 
succcssful loading or alteration of the multibit alterable tively to block 110, which depicts the replacing of the 
code. In a manner well known to those having skill in defective chips. The process then repeats until such 
the security data art, the number of such attempts may time as the control chips and EEPROMs have been 
be limited to a relatively small number of attempted successfully mounted, bum-in has been performed and a 
accesses and an attempted access or alteration of that 55 test has been satisfactorily completed, 
data which exceeds this preselected limit may be uti- Still referring to block 116, in the event the test has 
lized to place computer 10 within a default or lockout been completed satisfactorily, the process passes to 
mode, prohibiting further attempts to modify the func- block 120. Block 120 illustrates the personalization of 
tional characteristics of the computer. Additionally, a the EEPROM chips in association with a serial number 
log area is preferably provided within EEPROM 52 and 60 assigned to each module. This may be accomplished via 
EEPROM 54, which may be utilized to store various the service processor from a manufacturing database 
data entered therein, without requiring unique identifi- 122. Those skilled in the art will appreciate that it will 
cation codes. For example, various maintenance and be necessary to maintain, within manufacturing data- 
modification data may be stored therein.. Upon refer- base 122, a record of the serial number and unique iden- 
ence to the foregoing those skilled in the ad will appre- 65 tification codes assigned to each module manufactured 
ciate that the method and system described herein will utilizing this technique, such that service personnel may 
permit a manufacturer to manufacture a computer sys- alter the selected functional characteristics of the com- 
tem which includes a full set of predetermined func- puter which utilizes these modxiles by matching the 
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unique identification numbers stored therein, daring teristics of a data processing system in accordance with 
that process. Additionally, as described above, the man- the method and system of the present invention. As 
ufacturing database may accomplish this process utiliz- depicted, this process begins at block 180 and thereafter 
ing an external I/O pod and fusible link, such as that passes to block 182. Block 182 illustrates the process 
described within FIG. 4. 5 whereby a new encoded personahty and security code 
After the EEPROM chips within a multichip module number is received by control logic 68 (see FIG. 4) via 
have been customized, the process passes to block 124. the keyboard, direct access storage devices or a tele- 
Block 124 illustrates the performance of a system test, communications link. Thereafter, the process passes to 
and the process then passes to block 126. Block 126 block 184. Block 184 illustrates the transmission of the 
depicts a determination of whether or not the system 10 encoded personality and security code number to B 
test was completed satisfactorily and if not, the process module 28, followed by the associated command, 
returns to block 118 in an iterative fashion, and pro- Thereafter, block 186 iUustrates a determination of 
ceeds as described above. Still referring to block 126, in whether or not the command transmitted by the service 
the event the system test is concluded satisfactorily, the processor is a conunand to update the "personality," or 
process passes to block 128. Block 128 illustrates the 15 functional characteristics of die data processing system, 
opening of the fusible link (sec FIG. 4) and the activa- If not, the process passes via coxmector A, at reference 
tion of security within control logic 68. Thereafter, the numeral 188, to the portion of the process depicted 
process passes to block 130 and terminates. within FIG. lb, which will be described in greater de- 
Referring now to FIG. 6, there is depicted a high tafl below, 
level logic flowchart which illustrates the enablement 20 Still referring to block 186, in the event command 
of selected functional characteristics within a data pro- transmitted by the service processor is a command to 
cessing system, m response to the application of electri- update the personality or functional characteristics of 
cal power, in accordance with the method and system the data processing system, the process passes to block 
of the present invention. As depicted, the process begins 190. Block 190 illustrates a determination of whether or 
at block 150 and thereafter passes to block 152 which 25 not this attempt to access control logic 68 is equal to the 
illustrates the powering on of the central electronics limit of the number of access attempts permitted. If so, 
complex. Thereafter, the process passes to block 154 the process passes to block 192 which illustrates the 
which illustrates the starling of the system clock. Next, setting of the so-called "lockout" state within the status 
the process passes to block 156 which illustrates a deter- register of control logic 68 and no further attempts to 
mination of whether or not a power on pattern equals a 30 alter the functional characteristics of the data process- 
predetermined preset value. This determination is re- ing system will be permitted. The process then passes to 
quired in order to prohibit the functional characteristics block 194 and returns. 

of a data processing system from being altered in an Still referring to block 190, in the event the current 

unauthorized fashion by selectively removing power access attempt count does not equal the limit on such 

from the central electronics complex. If the power on 35 attempts, the process passes to block 196. Block 196 

pattern is equal to the predetermined preset value, the illustrates the reading of the status and the unique secu- 

process passes to block 158, which illustrates normal rity identification code from the first good copy within 

operation of the data processing system. the EEPROM chips. The process then passes to block 

Still referring to block 156, in the event the power on 198, which iUustrates a determination of whether or not 

pattern does not equal the predetermined preset value, 40 an error exists within this data. If not, the process passes 

the process passes to block 160. Block 160 illustrates the to block 200. 

loading of the personality data by control logic 68 into Block 200 illustrates a detennination of whether or 

personality register 70 (see FIG. 4). This is accom- not the entered unique security identification code is 

plished by utilizing control logic 68 to read the person- equal to the existing unique security identification code, 

ality data from the nonvolatile storage devices imple- 45 If not, the process passes to block 202 which illustrates 

mented utilizing EEPROM 52 and EEPROM 54. Next, the incrementing of the access attempt count and the 

the process passes to block 162. Block 162 illustrates the process then passes to block 194 and returns. In this 

setting of the power on pattern to the predetermined manner, as those skilled in the ad will appreciate, an 

preset value and the process then passes to block 164. unsuccessful attempt to access the personality data 

Block 164 then illustrates the control and security logic 50 within EEPROM 52 and EEPROM 54 to alter the 

chip driving the personality register values to the other functional characteristics of the data processing system 

chips within the module, and the process then passes to will not be permitted if the number of attempts exceeds 

block 158 which illustrates normal operation. a predetermined small number. 

Upon reference to the foregoing those skilled in the Still referring to block 200, in the event the entered 

art will appreciate that by providing selected "personal- 55 security identification code does match the existing 

ity" data within nonvolatile storage devices within a unique security identification code the process passes to 

data processing system and accessing that data each block 204. Block 204 illustrates the setting of the access 

time power is applied to the data processing system, the attempt count to zero. Thereafter, the process passes to 

content of a personality register may be controlled block 206. Block 206 illustrates the decoding of the new 

which may then be utilized to enable and/or disable 60 personality data and the loading of that personality data 

various functional characteristics of the data processing into all four copies of the multibit alterable code within 

system, permitting the manufacturer to provide a vari- the EEPROM chips. A pointer within a status register 

ety of functional characteristic capabilities withm a is then incremented to point to the next of the six unique 

single data processing system, without physical or me- security identification codes. Those having skill in this 

chanical manipulation. 65 art will appreciate that the particular one of the six 

Finally, with reference to FIGS, la and lb, there is unique security identification codes utilized for each 

depicted a high level logic flowchart which illustrates such update or alteration will be altered by increment- 

the process of selectively altering the functional charac- ing this pointer, such that the same unique security 
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identification code may not be utilized twice in succes- the status of the fusible link and the manufacturing 
sion. Of course, the six unique security identification mode bit In the event the fusible link is intact or the 
codes may be reutilized after all six have been utilized manufacturing mode (MM) bit is set, the process passes 
by having a pointer within the status register wrap back to block 244, which illustrates allowing the user to read 
to the first unique security identification code after the 5 from any field within the control and security logic, 
last unique security identification code has been uti- Thereafter, the process passes to block 246 and returns, 
lized. Alternately, those skilled in the art will appreciate Still referring to block 242, in the event the fusible link 
that the unique security identification codes described is not intact or the manufacturing mode (MM) bit is not 
herein may be self modifying in that after all six unique set, the process passes to block 248. Block 248 illustrates 
security identification codes have been utilized the posi- 10 the allowing of the user to read from the personality 
lions of those codes may be altered or scrambled utiliz- register, status register or log fields only. In this manner 
ing an algorithm which may be mimicked within the a user may determine the enabled status of functional 
manufacturing database. In yet another embodiment of characteristics within a particular data processing sys- 
the present invention a DES algorithm may be utilized tern but may not access the unique security identifica- 
to encrypt each unique security identification code in a 15 tion codes contained therein.. Thereafter, the process 
unique manner for each operation. Thereafter, the pro- passes to block 246 and returns, 
cess passes to block 208 and returns. In this manner, the Referring again to block 240, in the event the com- 
subset of enabled functional characteristics within a mand transmitted by the service processor is not a 
data processing system may be electronically altered, "read" command, the process passes to block 250. 
without the necessity of physical or mechanical manipu- 20 Block 250 illustrates a determination of whether or not 
lation of the data processing system. the conmiand transmitted by the service processor is a 

Referring back to block 198, in the event an error command to set the manufacturing mode (MM) bit 
within the data in the EEPROM chip is detected, the equal to "1 /* If so, the process passes to block 252. 
process passes to block 210. Block 210 illustrates a de- Block 252 illustrates a determination of whether or not 
termination of whether or not any "good" copies of this 25 the user has entered two unique security identification 
data remains within one of the EEPROM chips. If not, code numbers. Those skilled in the art will appreciate 
the process passes to block 212, which iDustrates the that when operating in the manufacturing mode the 
setting of "lockout" in the status register and the assign- functional characteristics of the data processing system 
ing of a "default" personality to the data processing may be simply and easOy changed. Thus, in order to set 
system. Thus, in the event the data within the EE- 30 this mode of operation the method and system of the 
PROM chips has been corrupted or is no longer avail- present invention requires the operator to identicaUy 
able, a "default" subset offunctional characteristics will match two fifty-six bit unique security identification 
be selected. Thereafter, the process passes to block 208 codes which were entered into the EEPROM chips 
and returns. during initial loading and stored within the manufactur- 

Still referring to block 210, in the event a "good" 35 ing database, as described above. If a match occurs with 
copy of the data remains within an EEPROM chip, the two imique security identification code numbers, as 
process passes to block 214. Block 214 illustrates the depicted at block 252, the process passes to block 254. 
invalidation of the previous copy of that data and there- Block 254 illustrates the setting of the manufacturing 
after, as depicted at block 216, the next copy of the data mode and the process then passes to block 256 and 
within one of the EEPROM chips is accessed. Thereaf- 40 returns. 

ter, the process returns to block 196, in an iterative Still referring to block 252, in the event the user has 
fashion. not matched two unique security identification code 

Referring now spedfically to FIG. lb, in the event numbers, the process passes to block 258. Block 258 
the command transmitted by the service processor to illustrates a determination of whether or not the access 
control logic 68 (see FIG. 4) is not an update personal- 45 attempt count is equal to the predetermined limit for 
ity command, the process passes via connector A, at such attempts. If not, the process passes to block 260 
reference numeral 188, to block 230. Block 230 illus- which illustrates the incrementing of the access attempt 
trates a determination of whether or not the command count and the process then returns, as depicted at block 
transmitted from the service processor is a "write" 256, Still referring to block 258, in the event the access 
command. If so, the process passes to block 232. Block 50 attempt count is equal to the predetermined limit, the 
232 illustrates a determination of whether or not fusible process passes to block 262. Block 262 illustrates the 
link 74 is intact or the manufacturing mode bit (MM) 78 setting of the "lockout" status and the process then 
is set (see FIG. 4). If so, the process passes to block 234 returns, as depicted at block 264. 
which illustrates the permitting of the user to write to Referring again to block 250, in the event the com- 
any field within the control and security logic. Thereaf- 55 mand transmitted from the service processor is not a 
ter, the process passes to block 236 and returns. Alter- command to set the manufacturing mode, the process 
nately, referring to block 232, in the event the fusible passes to block 270. Block 270 illustrates a determina- 
link is not intact or the manufacturing mode (MM) bit is tion of whether or not the command transmitted by the 
not set, the process passes to block 238. Block 238 illus- service processor is a command to set the "freeze" 
trates the allowing of the user to write to the log field 60 mode. A "freeze" mode, as those skilled in the art will 
only within the EEPROM chips. Thereafter, the pro- appreciate, may be utilized to lockout further attempts 
cess passes to block 236 and returns. to access the personality data within the control and 

Referring again to block 230, in the event the com- security logic circuitry such that future attempts to alter 
mand received is not a "write" command, the process or modify the functional characteristics of the data 
passes to block 240. In a similar fashion to that described 65 processing system will not be permitted. In the event a 
above, block 240 illustrates a determination of whether "freeze" mode command is received, the process passes 
or the received command is a "read" command. If so, to block 272. Block 272 illustrates a determination of 
the process passes to block 242 to once again determine whether or not the entered unique security identifica- 
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tion code matches the current unique security identifi- tor, that unique access codes can simultaniously gener- 

cation code. If so, the process passes to block 262, ated in the controUing location manufacturing for in- 

which illustrates the setting of the "lockout" status and stance and the computer system. The pseudo random 

subsequent return, as depicted at block 264. In the event nature of the resulting access code combined with hard- 

thc entered unique security identification code does not 5 ware that restricts the number of invalid attempts to 

match the current unique security identification code, match the access code makes it unlikely that there could 

the process passes to block 258, m an iterative fashion, be a successful guess. This generator doesn't require 

to determine whether or not this access attempt consti- expensive logic such as multipliers in its algorithm 

tutes an attempt equal to the limit on such attempts and which would be the case of the DES algorithm, 

an incrementing of that access attempt count, if the 10 piG. 8 illustrates our preferred embodiment in which 

current attempt count docs not equal the limit. there is a secure fixnction transmitter 301 remote to the 

Referring again to block 270, in the event the com- computer system 302. The function transmitter is kept 

mand transmitted by the service processor is not a secure area and it's purpose is to keep track of the 

"freeze" mode command, the process passes to block present PIN number of each computer system by main- 

280. Block 280 Ulustrates a determination of whether or 15 ^^^^ ^ fjjg t^at is related to the serial number of the 

not the command transmitted by Oie service processor computer system. At any time, a new function can be 

is a command to set the default mode. If not, the process g^t into the computer system by matching the PIN num- 

merely passes to block 264 and returns. Ho wever, m the generated in the transmitter with the PIN number 

event the command receiv^ T'^L^T* .n ^^^^V <^ted in the computer system in this case 

mand, the process passes to block 282. Block 282 ill^- 20 ^^^^^^ ^^^^^j 

trates a det^unation of whether or not the entered ^^^o function 308 registers within the proces- 

umque security identification code matches the current system 

unique security identification co^^^^ proems ^ ^ .^^^ ^^^^^ ^^^^^ transmitter 

passes to block 284 which d^^^^ might operat^ on secure file data 310 and key entry data 

defauh mode personahty. However, m the event the 25 311 to iLage nonvolatile storage 313 with a PIN gen- 

entered umque sccunty identification code does not ^ * j miJ j r ^- ^tsZ. 

1^ * \ erator 314 to send a umque PIN and function 315 to a 

equal the current umque secunty identification code the ^ ^ 

v^iMu wi«jiw V >i , ; , X • remote computer system 316. 

process returns iteratively to block 258, to once agam ajai^m .... 

^ , . ^, . FIG- 10 shows the matchmg logic m the computer 

determme the current access attempt count ana/or m- . ^1. * ^ . . ...t- *^ 1 

, ^ . system that generates umque pms 320 with its nonvola- 

crement that count. 30 j; j * x-t «?o * - 

Retummg to our improvement relating to the secure ^/J^*^/^^^ ^^^^^ ^^.T^^ 
PIN function which is coimnunicated to the forgoing ^^^'^ penmttmg the function register 321 to be 
computer system 302, FIG. 8 shows a remote secure ^^I^^^^* Not shown here is the hardw^e security and 
function transmitter 301 communicating with the com- a^^^s ^ l^g^c described m the referenced mven- 
puter system 302 having the significant components 35 1. 1. j . . 
described above. The computer system 302 conforms to ^p' ^1 s^^^ws how the access code generators m 
the processor of FIG. 8 in the preferred embodiment, ^^^^ computer system and transmitter mterract. The 
and has a has a processor, a memory, a secure control, components are the non-volatilc secure data fields LN 
a function 308, and an I/O pod. The secure fimction ?25 where ' W' is an integer >2, a vector that ad^esses 
transmitter in accordance with our invention has a se- 40 I^^ta field N", the operator 327 which is a a set of logic 
cure control generator 303 and transmitter for transmis- operates on the data fields 325, Pointer 326 and 
sion of a generated security signal to the computer produces an access code 328 or "PIN", 
system 302 via data link 309 which may be wire, fiber F^G. U descnbes the access code generation algo- 
optic, or wireless. FIG. 9 illustrates our secure function rithm. The pointer 330 points to data field "N". The 
transmitter in more detail with attachment to a perma- 43 Data from data field "N" is exclusive or'd with the data 
nent file 310 and manual entry device 311 as weU as the data field "N + 1" 331, The result of the exclusive 
major components of the secure function generator or is the PIN. If the PIN matches the incoming PIN, the 
used to create the access code PIN and combine it with new fimction is set into the fimction register and then 
the required function 315. FIG. 10 shows the secure data field "N + 1" is rotated left by "B» where B is an 
fimction controUer 318 within a computer system. It's 50 a field firom data field "N" the high 3 bits for instance, 
major components are a communications path from the Next die Data field "n" is rotated right 1 position 335 
remote function generator 317 over which a PIN and and finaly, the pointer is incremented by 1 335. 
new function code are passed, a non-volatile data area While wc have described our preferred embodiments 
319, an access code generator 320 and a function con- of our invention, it will be understood that those skilled 
trol register 321. FIG. 11 shows our access code PIN 55 in the ad, both now and in the fiiture, may make make 
generator, within it a secure, non-volatile store 325 such various improvements and enhancements which fall 
as an EEPROM with N data fields, a pointer to the Nth within the scope of the claims which follow. These 
data field 326, an "operator" 327 responsible for man- claims should be construed to maintain the proper pro- 
ageing the data fields and generating the new access tection for the invention first disclosed, 
code 328 to be used to validate the new function. A 60 What is claimed is: 
copy of this access code generator is in FIG. 8 both the LA data processing system comprising: 
secure function transmitter 301 and the computer sys- a locally accessed computer system, 
tem 302. a secure remote access number generator for generat- 

HG. 12 shows a access generation/update flow dia- ing an access number for selectively transmitting 
gram depicting the logical steps used in creating the 65 said access number to said locally accessed corn- 
new access code used for each functional update. puter system. 

Turning now to our invention in greater detail, it will a local secure access control within said locally ac- 

be seen from the description of the access code genera- cessed computer system, 
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a data link for transmitting said access number along ber and if the comparison results in a match new param- 

with a unique entered personal identification num- eters are enabled. 

ber of altering parameters of the locally accessed 7. A data processing system according to claim 6 

computer system after the locally accessed com- further comprising: 

puter system has been accessed by a transmission 5 control means for enabling a selected subset of pa- 

from the secure remote access number generator, rameters from a predetermined set of parameters, 

gjj^ said control means being enabled each time a vali- 

means within the locally accessed computer system dated personal identification number is provided to 

for comparing said entered personal identification the locdly accessed computer system by compari- 

number to said access number a predetermined son with a state of multtbit alterable code withm 

number of times. said non-volatde storage a^^ ^. . , . , 

wherein if there is a match between said entered ^ data processmg system accordmg to clami 7 

personal identification number and said access ^^-?V"u kT^ "T"' .'"^f^^^f^^ 

number prior to said predetermined number, pa- ^^^^ibit alterable code, wherem, based on said multibit 
* f -J 1 11,. ^,rc.f~ 15 alterable code, said control means enables an alternate 

rameters of said locally accessed computer system u*r-j *r * i.^ 

,^ J ' r ^ subset of said set of parameters each tune power is ap- 

are altered. - * 

^ . ^ ^ J- * 1 phed to said data processmg system, 

2. A data processmg syjem ac(X)rdmg to clami 1 9. The data processing system of clahn 8 wherein said 
wherem the locaUy accessed computer system mcludes ^^^^^ ^^^^^^^^ code deludes a unique identification 
a processor amemory, said local secure access co^^^ ^^^^^ selectively altering 
means for altenng parameters of said locaUy accessed ^^^^^^ comprises means for enter- 
compute system, and an I/O port. ing an identification code and thereafter altering said 
3 A data processmg system accordmg to clami 2 ^^^^.^ ^^^^^j^ ^^^^ ^ ^ ^^^^^ 
further compnsmg a transmitter associated with said ^^^^^^^ ^^^^^ identification code and said 
secure remote access generator for transmission of a ^5 ^^^^ identification code. 

generated sonirity signal through the data link of the jj^^ processing system of claim 9 wherein 

data processing system, said multibit security code is initially stored within said 

4. A data processing system accordmg to claim 2 physically secure nonvolatile storage device via a physi- 
wherein said secure remote access number generator ^^^y alterable electronic hnk and wherein said system 
passes a personal identification number and a parameter further includes means for destroying said physically 
modification code to the local secure access control of alterable electronic link after said initial storing of said 
the locally accessed computer system, and further in- multibit alterable code. 

eluding a nonvolatile data area for storing personal jj^ data processing system of claim 10 further 

identification numbers, a personal identification number including means for storing said unique identification 
generator and a function control register. 35 code at a central control facility where said remote 

5. A data processing system according to claim 4 access code generator is located. 

wherein said non-volatile data area includes a plurality X2. The data processing system according to claim 9 

of N data fields, a pointer to the Nth data field, and an wherem a particular subset of said predetermined set of 

operator responsible for managing the data fields and parameters comprises a valid memory address range 
generating a new personal identification number to be 40 within said memory within said data processing system 

used for altering the parameters of the locally accessed and wherein said system fiirther includes means for 

computer system. ^ limiting a user of said data processing system to access 

6. A data processing system according to claim 5 within said valid memory address range in response to 
wherein the local secure access control of the locally enabling of said particular subset of said predetermined 
accessed computer system compares the personal iden- 45 set of parameters. 

tification number with a stored code or generated num- » » » * • 
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